Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2700656imm;
        Wed, 3 Oct 2018 07:56:52 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60BxCVrLmlopSIoa8RlhBhiPNUzfaRBdirVXsFTd2gj9ZHcJQuCXFqpa766XPS22GLTvKvm
X-Received: by 2002:a17:902:6a2:: with SMTP id 31-v6mr1962988plh.1.1538578612709;
        Wed, 03 Oct 2018 07:56:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538578612; cv=none;
        d=google.com; s=arc-20160816;
        b=LtGvLzTklVACcKwLkLnwzudQum5dEafa5MuoUgL/ZB9ka2RnPWIQUfyGUe513vzsWC
         YVXTpzk1B3wFlWr04q1wqP1Q4G0CUmxTRV44pFX06WbluKigPNE6B35QsG0OTNC2BdFX
         jDAMKU/B0obBI2KGTxG3NTFpUHxViTI27EeE+Memy3xISZgexeuHN6a11LtVXMqz3NjP
         Ybfe7WYiZ7uB+yn7JizUiT/dEiOHMHP2q3Kjx/y1mnmdahthKZ91ZnUT2fMU+Pyer94a
         AxCahv8IDYn+Ny2M6h2TrIuSGm7QHms3CnZK8TwOT+ZpU2OTcFYGtlAb9l2uTnJ9qBuR
         solw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=ir/KwklJg7X4IpzAsOBvcocAb+RbekAk4pHcK6Giabc=;
        b=sfctnHrntNpO4mcAdhsj0V/RVVvzlJFWwhNyf8ub4CPUPeos6CWXTvkIDARmN4Jgjc
         nQNvgMcsfLrPpNyZf9+SsxcOuGNKCu+y3eljWB97o4MfXhXpE6I2MgJEzN9/G+P/xEkk
         AkZ6IOpW+1w7iIm2vdM0ZM2toYl0rrFsaE05ODZRk3BhDvxkiwb+RWZMB6OkDbp4eKhW
         0K3sxQiRMXei6w8tku58kytmIoE1S9DIg9CouI82o58+zcKcZEV+LBiYKxq6v/KJRVmF
         MM1lLqp9hfC7ZMwEp2p72/diwLL4uHpbYohUgQAwJqka1LUC3xvKz2+abvfNAYygcnqn
         fqUw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@umn.edu header.s=20160920 header.b=gZhAdD7s;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x16-v6si1452713pgh.41.2018.10.03.07.56.37;
        Wed, 03 Oct 2018 07:56:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@umn.edu header.s=20160920 header.b=gZhAdD7s;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727180AbeJCVnz (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Wed, 3 Oct 2018 17:43:55 -0400
Received: from mta-p1.oit.umn.edu ([134.84.196.201]:38444 "EHLO
        mta-p1.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726748AbeJCVnz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Oct 2018 17:43:55 -0400
Received: from localhost (localhost [127.0.0.1])
        by mta-p1.oit.umn.edu (Postfix) with ESMTP id 5E9DA1D9
        for <linux-kernel@vger.kernel.org>; Wed,  3 Oct 2018 14:55:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h=
        content-type:content-type:subject:subject:message-id:date:date
        :from:from:in-reply-to:references:mime-version:received:received
        :received; s=20160920; t=1538578510; x=1540392911; bh=IlJLfzKa9j
        r+ORaiaIegYdmgXRrDqSUsQqHshUKxjwo=; b=gZhAdD7sNqJ+epjjTwXNtmVEzU
        8w/GKpwlKqO/WkFWbvXggbQBm+7rbds4L/g92P7nYKHurOlB/E5nHe82UG2DMPPY
        OutEBFrYzxT8xLuS4b9iqEhdPaEJZ1diz8yc3j5nj4GoLrxJ2x0M6DJBIfFlzmcy
        EtSwWYRopaR6Hof+lqdmn0phymn0zQdhhpYKIwtqay2WQyf208BCjlrKI6s/tCiK
        2jHpB9itafhbv81t2MDGroZNRe9zgS9wegS68B4MsVsU5i4wyBfJSBGTXwpk3iPu
        Kl03jUEV23+w/Mm61FvufhR+rxwpkTpG9IpnkvNw7+qCemmG71igg+3YbIrg==
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p1.oit.umn.edu ([127.0.0.1])
        by localhost (mta-p1.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id J0XKcDyR0t-g for <linux-kernel@vger.kernel.org>;
        Wed,  3 Oct 2018 09:55:10 -0500 (CDT)
Received: from mail-it1-f172.google.com (mail-it1-f172.google.com [209.85.166.172])
        (using TLSv1 with cipher AES128-SHA (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: wang6495)
        by mta-p1.oit.umn.edu (Postfix) with ESMTPSA id 383121D6
        for <linux-kernel@vger.kernel.org>; Wed,  3 Oct 2018 09:55:10 -0500 (CDT)
Received: by mail-it1-f172.google.com with SMTP id p64-v6so9310580itp.0
        for <linux-kernel@vger.kernel.org>; Wed, 03 Oct 2018 07:55:10 -0700 (PDT)
X-Gm-Message-State: ABuFfogDx8L4gWcgPGcRprOpFAZAcmH7QBJMyW6JzxZ04oQlQtulv8Te
        MyIkli/AWnSfokrZetKDrM0qRJx7V6xiV2XiAtw=
X-Received: by 2002:a24:9005:: with SMTP id x5-v6mr1600039itd.76.1538578509987;
 Wed, 03 Oct 2018 07:55:09 -0700 (PDT)
MIME-Version: 1.0
References: <1538542259-11868-1-git-send-email-wang6495@umn.edu> <87h8i379af.fsf@ashishki-desk.ger.corp.intel.com>
In-Reply-To: <87h8i379af.fsf@ashishki-desk.ger.corp.intel.com>
From:   Wenwen Wang <wang6495@umn.edu>
Date:   Wed, 3 Oct 2018 09:54:34 -0500
X-Gmail-Original-Message-ID: <CAAa=b7diJTzf-Y=6VcYhQGztPTj0uT0MX7-N0YKLW45EpxpcAg@mail.gmail.com>
Message-ID: <CAAa=b7diJTzf-Y=6VcYhQGztPTj0uT0MX7-N0YKLW45EpxpcAg@mail.gmail.com>
Subject: Re: [PATCH] stm class: fix a missing-check bug
To:     alexander.shishkin@linux.intel.com
Cc:     Kangjie Lu <kjlu@umn.edu>,
        open list <linux-kernel@vger.kernel.org>,
        Wenwen Wang <wang6495@umn.edu>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Oct 3, 2018 at 2:57 AM Alexander Shishkin
<alexander.shishkin@linux.intel.com> wrote:
>
> Wenwen Wang <wang6495@umn.edu> writes:
>
> > In stm_char_policy_set_ioctl(), the 'size' field of the struct
> > 'stp_polic_id' is firstly copied from the user space and then checked,
> > because the length of the 'id' field in this struct, which represents an
> > identification string, is not fixed. If the 'size' field cannot pass the
> > check, an error code EINVAL will be returned. However, after the check, the
> > whole struct is copied again from the user space. Given that the user data
> > resides in the user space, a malicious user-space process can race to
> > change the size between the two copies. By doing so, the attacker can
> > bypass the check on the 'size' field and inject malicious data.
>
> How? The id->size is not used for anything.
>
> And even if there was a problem, this:
>
> > -     if (copy_from_user(id, arg, size)) {
> > +     if (copy_from_user(&id->master, (char __user *)arg + sizeof(size),
> > +                             size - sizeof(size))) {
>
> is completely pointless.

Given that id->size is not used, it should not be copied from the user
space. This code is used to remove such redundant copy.

>
> >               ret = -EFAULT;
> >               goto err_free;
> >       }
> >
> > +     id->size = size;
>
> So, if we did use id->size after the copying, we'd indeed have this line
> in the code. But since we don't, it's also pointless, so it's not there.
>
> Thanks,
> --
> Alex